Identifier-Based Encryption (IBE) is an emerging cryptographic schema. In this schema (see FIG. 1 of the accompanying drawings),a data provider 10 encrypts payload data 13 using both an encryption key string 14, and public data 15 provided by a trusted authority 12. This public data 15 is derived by the trusted authority 12 using private data 17 and a one-way function 18. The data provider 10 then provides the encrypted payload data <13> to a recipient 11 who decrypts it using a decryption key computed by the trusted authority 12 based on the encryption key string and its own private data.
A feature of identifier-based encryption is that because the decryption key is generated from the encryption key string, its generation can be postponed until needed for decryption.
Another feature of identifier-based encryption is that the encryption key string is cryptographically unconstrained though it is usually used to specify conditions serving to “identify” the intended message recipient and this has given rise to the use of the label “identifier-based” or “identity-based” generally for cryptographic methods of this type.
To ensure that the conditions are met before a recipient can read the payload data 13, the trusted authority 12 is arranged only to provide the decryption key to the recipient 11 (over a secure channel) if satisfied that the conditions included in the encryption key are met.
The foregoing encryption-decryption method exhibits a number of potential drawbacks.
More particularly, the conditions are transmitted in clear which may be undesirable particularly where the conditions are identifiers of the intended data receiver. In certain circumstances, it is better for the conditions not to be included in the encryption key but to be provide by the data receiver to the trusted authority. However, this runs the risk of the data receiver modifying the conditions.
It is an object of the present invention to provide improved cryptographic methods and apparatuses.